Anonymous Ukraine Posts 7 Million Cards

Researchers Say Details Needed to Commit Fraud Lacking

An anti-American hacktivist group calling itself Anonymous Ukraine has posted more than 7 million credit card numbers online, but it appears unlikely most of them could be used to commit fraud, according to the cybersecurity firm Risk Based Security.

In a message posted on the open online forum Pastebin March 24, the hacktivists provide four links corresponding with card brands Visa, MasterCard, Discover and American Express. In its analysis, Risk Based Security, working with DataLossDB, a service that tracks data breaches across the Web, says the links point to archives that "appear to have valid card numbers, bank routing numbers and full names."

In its Pastebin post, Anonymous Ukraine claims it's in possession of "more than 800 million credit cards" and that the data dumps were the "first part" of its exposure.

The hacktivist group first posted details on approximately 950,000 cards online on March 24, and then followed the disclosure with an announcement later in the day on Twitter that it released an additional 6 million card details, Risk Based Security says in a statement.

The security firm says that most of the card numbers exposed are not paired with CCV (card verification value) security codes or card expiration information. "Without this information, committing fraud with the leaked information may be more difficult," the firm says.

An examination of the cards shows a majority come from U.S. banks, Risk Based Security says. "Among the information released, approximately 4,000 come with full user data, including Social Security number, credit card, card expiration date, name, PINs, dates of birth, states and ZIP codes," the security firm says. The data may have also come from ATMs or point-of-sale systems, the company adds.

"It is still too early in our investigation to speculate on the source of the data or how usable it may be," a spokesperson for Risk Based Security told Information Security Media Group on March 25.

Michael Smith, CSIRT Director at Akamai Technologies, a DDoS mitigation provider, says credit card dumps like this are common. "Mostly, it's an intimidation tactic or a group trying to gain notoriety," he says. "I know there is one dump of FBI accounts floating around Pastebin that is not only bogus but it's been reposted every two months for the past three or more years."

In a March 28 update, Risk Based Security says the credit card dump contained valid but older card data that had been previously disclosed. "To date, there is no solid evidence this represents a new breach," the security firm says. "The last couple of weeks have seen tensions rising between Russia and Ukraine, and along with it an increase in computer crime."

In its Pastebin message, Anonymous Ukraine says: "After the USA showed its true face when she unilaterally decides which of the peoples to live independently and who under the yoke of the Federal Reserve, we decided to show the world who is behind the future collapse of the American banking system."

The spokesperson for Risk Based Security says the goal of the information dump may be to make an impact on the international financial system.

The four card brands did not immediately respond to a request for additional information.